Merge pull request #11628 from danog/fix_conditional_taints

Fix conditional taints

Author: danog

src/Psalm/Codebase.php

@@ -366,7 +366,12 @@ public function getOrRegisterTaint(string $taint_type, ?CodeLocation $location =
             throw new RuntimeException($err);
         }
         if ($taint_type[0] === '(') {
-            throw new AssertionError('Conditional taints cannot be registered directly');
+            $err = "Conditional taints cannot be used in this context";
+            if ($location !== null) {
+                IssueBuffer::maybeAdd(new InvalidDocblock($err, $location));
+                return null;
+            }
+            throw new RuntimeException($err);
         }
         $id = 1 << ($this->taint_count++);
         $this->custom_taints[$id] = $taint_type;

src/Psalm/Internal/Analyzer/CommentAnalyzer.php

@@ -244,6 +244,9 @@ private static function decorateVarDocblockComment(
         if (isset($parsed_docblock->tags['psalm-taint-escape'])) {
             foreach ($parsed_docblock->tags['psalm-taint-escape'] as $param) {
                 $param = trim($param);
+                if ($param[0] === '(') {
+                    continue;
+                }
                 try {
                     $var_comment->removed_taints |= $codebase->getOrRegisterTaint($param);
                 } catch (RuntimeException $e) {

src/Psalm/Internal/PhpVisitor/Reflector/FunctionLikeDocblockParser.php

@@ -353,7 +353,7 @@ public static function parse(
                 } elseif ($param[0] === '(') {
                     $line_parts = CommentAnalyzer::splitDocLine($param);
 
-                    $info->removed_taints[] = CommentAnalyzer::sanitizeDocblockType($line_parts[0]);
+                    $info->conditionally_removed_taints[] = CommentAnalyzer::sanitizeDocblockType($line_parts[0]);
                 } else {
                     $info->removed_taints[] = explode(' ', $param)[0];
                 }

src/Psalm/Internal/PhpVisitor/Reflector/FunctionLikeDocblockScanner.php

@@ -368,28 +368,27 @@ public static function addDocblockInfo(
         }
 
         foreach ($docblock_info->removed_taints as $removed_taint) {
-            if ($removed_taint[0] === '(') {
-                self::handleConditionallyRemovedTaint(
-                    $codebase,
-                    $stmt,
-                    $aliases,
-                    $removed_taint,
-                    $function_template_types,
-                    $class_template_types,
-                    $type_aliases,
-                    $storage,
-                    $classlike_storage,
-                    $cased_function_id,
-                    $file_storage,
-                    $file_scanner,
-                );
-            } else {
-                $t = $codebase->getOrRegisterTaint($removed_taint, $location);
-                if ($t !== null) {
-                    $storage->removed_taints |= $t;
-                }
+            $t = $codebase->getOrRegisterTaint($removed_taint, $location);
+            if ($t !== null) {
+                $storage->removed_taints |= $t;
             }
         }
+        foreach ($docblock_info->conditionally_removed_taints as $removed_taint) {
+            self::handleConditionallyRemovedTaint(
+                $codebase,
+                $stmt,
+                $aliases,
+                $removed_taint,
+                $function_template_types,
+                $class_template_types,
+                $type_aliases,
+                $storage,
+                $classlike_storage,
+                $cased_function_id,
+                $file_storage,
+                $file_scanner,
+            );
+        }
 
         self::handleTaintFlow($docblock_info, $storage);
 

src/Psalm/Internal/Scanner/FunctionDocblockComment.php

@@ -99,7 +99,12 @@ final class FunctionDocblockComment
     public array $added_taints = [];
 
     /**
-     * @var array<string>
+     * @var list<string>
+     */
+    public array $conditionally_removed_taints = [];
+
+    /**
+     * @var list<string>
      */
     public array $removed_taints = [];
 

src/Psalm/Type/TaintKind.php

@@ -12,6 +12,36 @@
  */
 final class TaintKind
 {
+    public const INPUT_CALLABLE = (1 << 0);
+    public const INPUT_UNSERIALIZE = (1 << 1);
+    public const INPUT_INCLUDE = (1 << 2);
+    public const INPUT_EVAL = (1 << 3);
+    public const INPUT_LDAP = (1 << 4);
+    public const INPUT_SQL = (1 << 5);
+    public const INPUT_HTML = (1 << 6);
+    public const INPUT_HAS_QUOTES = (1 << 7);
+    public const INPUT_SHELL = (1 << 8);
+    public const INPUT_SSRF = (1 << 9);
+    public const INPUT_FILE = (1 << 10);
+    public const INPUT_COOKIE = (1 << 11);
+    public const INPUT_HEADER = (1 << 12);
+    public const INPUT_XPATH = (1 << 13);
+    public const INPUT_SLEEP = (1 << 14);
+    public const INPUT_EXTRACT = (1 << 15);
+    public const USER_SECRET = (1 << 16);
+    public const SYSTEM_SECRET = (1 << 17);
+
+    public const ALL_INPUT = (1 << 16) - 1;
+
+    /** @internal */
+    public const NUMERIC_ONLY = self::INPUT_SLEEP;
+    /** @internal */
+    public const BOOL_ONLY = self::INPUT_SLEEP;
+
+    /** @internal Keep this synced with the above */
+    public const BUILTIN_TAINT_COUNT = 18;
+
+
     // Map of taint kind names to their bitmask values, used in taint annotations
     public const TAINT_NAMES = [
         'callable' => self::INPUT_CALLABLE,
@@ -33,36 +63,9 @@ final class TaintKind
         'user_secret' => self::USER_SECRET,
         'system_secret' => self::SYSTEM_SECRET,
 
+        'input_except_sleep' => self::ALL_INPUT & ~self::INPUT_SLEEP,
+
         'input' => self::ALL_INPUT,
         'tainted' => self::ALL_INPUT,
     ];
-
-    public const INPUT_CALLABLE = (1 << 0);
-    public const INPUT_UNSERIALIZE = (1 << 2);
-    public const INPUT_INCLUDE = (1 << 3);
-    public const INPUT_EVAL = (1 << 4);
-    public const INPUT_LDAP = (1 << 5);
-    public const INPUT_SQL = (1 << 6);
-    public const INPUT_HTML = (1 << 7);
-    public const INPUT_HAS_QUOTES = (1 << 8);
-    public const INPUT_SHELL = (1 << 9);
-    public const INPUT_SSRF = (1 << 10);
-    public const INPUT_FILE = (1 << 11);
-    public const INPUT_COOKIE = (1 << 12);
-    public const INPUT_HEADER = (1 << 13);
-    public const INPUT_XPATH = (1 << 14);
-    public const INPUT_SLEEP = (1 << 15);
-    public const INPUT_EXTRACT = (1 << 16);
-    public const USER_SECRET = (1 << 17);
-    public const SYSTEM_SECRET = (1 << 18);
-
-    public const ALL_INPUT = (1 << 17) - 1;
-
-    /** @internal */
-    public const NUMERIC_ONLY = self::INPUT_SLEEP;
-    /** @internal */
-    public const BOOL_ONLY = self::INPUT_SLEEP;
-
-    /** @internal Keep this synced with the above */
-    public const BUILTIN_TAINT_COUNT = 19;
 }

stubs/CoreGenericFunctions.phpstub

@@ -832,79 +832,19 @@ function array_product(array $array) {}
  * @psalm-pure
  *
  * 257 is FILTER_VALIDATE_INT
- * @psalm-taint-escape ($filter is 257 ? 'callable' : null)
- * @psalm-taint-escape ($filter is 257 ? 'unserialize' : null)
- * @psalm-taint-escape ($filter is 257 ? 'include' : null)
- * @psalm-taint-escape ($filter is 257 ? 'eval' : null)
- * @psalm-taint-escape ($filter is 257 ? 'ldap' : null)
- * @psalm-taint-escape ($filter is 257 ? 'sql' : null)
- * @psalm-taint-escape ($filter is 257 ? 'html' : null)
- * @psalm-taint-escape ($filter is 257 ? 'has_quotes' : null)
- * @psalm-taint-escape ($filter is 257 ? 'shell' : null)
- * @psalm-taint-escape ($filter is 257 ? 'ssrf' : null)
- * @psalm-taint-escape ($filter is 257 ? 'file' : null)
- * @psalm-taint-escape ($filter is 257 ? 'cookie' : null)
- * @psalm-taint-escape ($filter is 257 ? 'header' : null)
+ * @psalm-taint-escape ($filter is 257 ? 'input_except_sleep' : null)
  *
  * 258 is FILTER_VALIDATE_BOOLEAN
- * @psalm-taint-escape ($filter is 258 ? 'callable' : null)
- * @psalm-taint-escape ($filter is 258 ? 'unserialize' : null)
- * @psalm-taint-escape ($filter is 258 ? 'include' : null)
- * @psalm-taint-escape ($filter is 258 ? 'eval' : null)
- * @psalm-taint-escape ($filter is 258 ? 'ldap' : null)
- * @psalm-taint-escape ($filter is 258 ? 'sql' : null)
- * @psalm-taint-escape ($filter is 258 ? 'html' : null)
- * @psalm-taint-escape ($filter is 258 ? 'has_quotes' : null)
- * @psalm-taint-escape ($filter is 258 ? 'shell' : null)
- * @psalm-taint-escape ($filter is 258 ? 'ssrf' : null)
- * @psalm-taint-escape ($filter is 258 ? 'file' : null)
- * @psalm-taint-escape ($filter is 258 ? 'cookie' : null)
- * @psalm-taint-escape ($filter is 258 ? 'header' : null)
+ * @psalm-taint-escape ($filter is 258 ? 'input' : null)
  *
  * 259 is FILTER_VALIDATE_FLOAT
- * @psalm-taint-escape ($filter is 259 ? 'callable' : null)
- * @psalm-taint-escape ($filter is 259 ? 'unserialize' : null)
- * @psalm-taint-escape ($filter is 259 ? 'include' : null)
- * @psalm-taint-escape ($filter is 259 ? 'eval' : null)
- * @psalm-taint-escape ($filter is 259 ? 'ldap' : null)
- * @psalm-taint-escape ($filter is 259 ? 'sql' : null)
- * @psalm-taint-escape ($filter is 259 ? 'html' : null)
- * @psalm-taint-escape ($filter is 259 ? 'has_quotes' : null)
- * @psalm-taint-escape ($filter is 259 ? 'shell' : null)
- * @psalm-taint-escape ($filter is 259 ? 'ssrf' : null)
- * @psalm-taint-escape ($filter is 259 ? 'file' : null)
- * @psalm-taint-escape ($filter is 259 ? 'cookie' : null)
- * @psalm-taint-escape ($filter is 259 ? 'header' : null)
+ * @psalm-taint-escape ($filter is 259 ? 'input_except_sleep' : null)
  *
  * 519 is FILTER_SANITIZE_NUMBER_INT
- * @psalm-taint-escape ($filter is 519 ? 'callable' : null)
- * @psalm-taint-escape ($filter is 519 ? 'unserialize' : null)
- * @psalm-taint-escape ($filter is 519 ? 'include' : null)
- * @psalm-taint-escape ($filter is 519 ? 'eval' : null)
- * @psalm-taint-escape ($filter is 519 ? 'ldap' : null)
- * @psalm-taint-escape ($filter is 519 ? 'sql' : null)
- * @psalm-taint-escape ($filter is 519 ? 'html' : null)
- * @psalm-taint-escape ($filter is 519 ? 'has_quotes' : null)
- * @psalm-taint-escape ($filter is 519 ? 'shell' : null)
- * @psalm-taint-escape ($filter is 519 ? 'ssrf' : null)
- * @psalm-taint-escape ($filter is 519 ? 'file' : null)
- * @psalm-taint-escape ($filter is 519 ? 'cookie' : null)
- * @psalm-taint-escape ($filter is 519 ? 'header' : null)
+ * @psalm-taint-escape ($filter is 519 ? 'input_except_sleep' : null)
  *
  * 520 is FILTER_SANITIZE_NUMBER_FLOAT
- * @psalm-taint-escape ($filter is 520 ? 'callable' : null)
- * @psalm-taint-escape ($filter is 520 ? 'unserialize' : null)
- * @psalm-taint-escape ($filter is 520 ? 'include' : null)
- * @psalm-taint-escape ($filter is 520 ? 'eval' : null)
- * @psalm-taint-escape ($filter is 520 ? 'ldap' : null)
- * @psalm-taint-escape ($filter is 520 ? 'sql' : null)
- * @psalm-taint-escape ($filter is 520 ? 'html' : null)
- * @psalm-taint-escape ($filter is 520 ? 'has_quotes' : null)
- * @psalm-taint-escape ($filter is 520 ? 'shell' : null)
- * @psalm-taint-escape ($filter is 520 ? 'ssrf' : null)
- * @psalm-taint-escape ($filter is 520 ? 'file' : null)
- * @psalm-taint-escape ($filter is 520 ? 'cookie' : null)
- * @psalm-taint-escape ($filter is 520 ? 'header' : null)
+ * @psalm-taint-escape ($filter is 520 ? 'input_except_sleep' : null)
  *
  * @psalm-flow ($value, $filter, $options) -> return
  */

tests/TaintTest.php

@@ -260,7 +260,7 @@ function foo() : void {
             ],
             'taintFilterVar' => [
                 'code' => '<?php
-                    /** @psalm-taint-sink input $value */
+                    /** @psalm-taint-sink input_except_sleep $value */
                     function taintSink(mixed $value): void {}
 
                     taintSink(filter_var($_GET["bad"], FILTER_VALIDATE_INT));